News Items

As growing and maturing data services demand faster Internet speeds and operating systems call for better security, hackers and adversaries continue to interfere. For some, this involves infiltrating home and office wireless networks to steal personal or business information. These attackers often use high-powered signal jamming devices, which are wireless portable devices that impede devices' communication with each other. These jammers also serve as a defense for users trying to avoid these attacks. With this dichotomy in mind, former Khoury doctoral student Hai Nguyen and his advisor Guevara Noubir, both of whom are members of Khoury College's Cybersecurity and Privacy Institute, have developed a novel approach that cancels these high-powered jammers in situations where traditional techniques fail. This failure may occur as a result of the traditional techniques being designed for benign interference, requiring mechanically moving parts that react slowly to jamming, or requiring additional radio frequency bands to achieve resilience. JaX is the name of the duo's technique that sidesteps these situations. This article continues to discuss the researchers' JaX solution.

Northeastern University reports "Signal Jamming Defense Not up to the Task? These Researchers Have a Solution"

P2Pinfect, a novel peer-to-peer botnet that targets the Redis and SSH open-source services, has experienced a 600-time increase in activity since August 28, including a 12.3 percent increase in traffic over the past week. According to Cado Security Labs, P2Pinfect compromises have been seen in China, the US, Germany, the UK, Singapore, Hong Kong, and Japan. P2Pinfect was discovered in July, targeting servers hosting publicly accessible instances of the Redis open-source database. In a new blog post, the researchers noted that targeting Redis is only half of P2Pinfect's functionality, as the malware can also propagate via SSH and includes a list of username/password combinations to facilitate brute-force attacks. Matt Muir, the threat research lead at Cado Security Labs, explained that attackers could use a botnet of this size to conduct disruptive Distributed Denial-of-Service (DDoS) attacks, similar to those launched by hacktivists during the Russia-Ukraine war. Muir added that attackers could use it to mine cryptocurrency on a large scale, or to support additional malware campaigns or social engineering operations such as phishing. This article continues to discuss new findings regarding the P2Pinfect botnet.

SC Media reports "P2Pinfect Botnet Targets Redis and SSH Services"

Face recognition software is often implemented to gatekeep access to secure websites and electronic devices. Researchers are looking into the possibility of defeating it simply by wearing a mask resembling another person's face. The National Institute of Standards and Technology (NIST) recently published research on software designed to detect this type of spoof attack. The new study is published alongside another that evaluates the ability of software to identify potential issues with a photograph or digital facial image, such as one captured for a passport. Together, the two NIST publications provide insight into the effectiveness with which modern image-processing software executes a face analysis task that is becoming increasingly important. This article continues to discuss the two NIST evaluation studies that will help software better detect photo spoofs and image quality issues.

NIST reports "What's Wrong With This Picture? NIST Face Analysis Program Helps to Find Answers"

According to security researchers at SEC Consult, two vulnerabilities discovered earlier this year in Atos Unify products could allow malicious actors to cause disruption and even backdoor the targeted system. The vulnerabilities affect the Atos Unify Session Border Controller (SBC), which provides security for unified communications, the Unify OpenScape Branch product for remote offices, and Border Control Function (BCF), which is designed for emergency services. The researchers discovered that the web interface of these products is affected by CVE-2023-36618, which can be exploited by an authenticated attacker with low privileges to execute arbitrary PHP functions and, subsequently, operating system commands with root privileges. The second security hole, CVE-2023-36619, can be exploited by an unauthenticated attacker to access and execute certain scripts. The researchers stated that attackers could leverage these scripts to cause a denial-of-service (DoS) condition or change the system's configuration. The researchers noted that the vulnerabilities have a critical impact, but the vendor has assigned the flaws a "high severity" rating based on their CVSS score. The researchers stated that attackers can gain full control (root access) over the appliance if any low-privileged user credentials are known and could reconfigure or backdoor the system. Atos has released updates that should patch both Unify vulnerabilities.

SecurityWeek reports: "Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems"

Quantinuum is a merger between Honeywell Quantum Solutions and Cambridge Quantum focused on quantum computing. It aims to help build quantum-hardened cryptographic keys to secure Honeywell's smart utility meters. Quantum Origin is a service that uses quantum computers to generate large random numbers that can safeguard sensitive information or grid infrastructure. The first step in creating cryptographically secure encryption and authentication keys is to generate random numbers. A well-functioning Random Number Generator (RNG) ensures that future cryptographic keys cannot be guessed based on a predictable pattern. Traditionally, random numbers are generated algorithmically or with hardware devices that sample physical phenomena such as electrical noise. This article continues to discuss Honeywell securing its meters with cryptographic keys from Quantinuum.

IEEE Spectrum reports "Smart Utility Meter Security Takes a Quantum Leap"

The cloud security vendor Skyhawk has introduced a new benchmark for evaluating generative Artificial Intelligence (AI) Large Language Models' (LLMs) ability to identify and score cybersecurity threats within cloud logs and telemetries. According to the company, the free resource analyzes the accuracy with which ChatGPT, Google BARD, Anthropic Claude, and other LLAMA2-based open LLMs predict the maliciousness of an attack sequence. From a risk perspective, generative AI chatbots and LLMs can be a double-edged sword, but when used properly, they can significantly improve an organization's cybersecurity. Their potential to identify and dissect possible security threats faster and in greater volume than human security analysts is one of the benefits they offer. A Cloud Security Alliance (CSA) report exploring the cybersecurity implications of LLMs suggests that generative AI models can be used to improve the scanning and filtering of security vulnerabilities. CSA demonstrated in the paper that OpenAI's Codex Application Programming Interface (API) is an effective vulnerability scanner for programming languages, including C, C#, Java, and JavaScript. This article continues to discuss the generative AI benchmark that evaluates the ability of LLMs to identify and score cybersecurity threats within cloud logs and telemetries.

CSO Online reports "Skyhawk Security Ranks Accuracy of LLM Cyberthreat Predictions"

According to Rockwell Automation, 60 percent of cyberattacks against the industrial sector are conducted by state-affiliated actors and are often facilitated by internal personnel (33 percent of the time). This aligns with other industry research that suggests Operational Technology/Industrial Control Systems (OT/ICS) cybersecurity incidents are increasing in volume and frequency, and are targeting critical infrastructure, including energy producers. In the last three years, the number of OT/ICS cybersecurity incidents has already surpassed the total number reported between 1991 and 2000. The energy sector is the primary target of threat actors (39 perecent of attacks), which is over three times more frequently targeted than critical manufacturing (11 percent) and transportation (10 percent). This article continues to discuss key findings from Rockwell Automation's "Anatomy of 100+ Cybersecurity Incidents in Industrial Operations" report.

Help Net Security reports "Rising OT/ICS Cybersecurity Incidents Reveal Alarming Trend"

Following the disclosure of vulnerabilities in Mozilla's Firefox and Thunderbird, the National Cyber Security Agency in Qatar urges Adobe users to apply patches. However, other affected browsers were not mentioned. The vulnerability, tracked as CVE-2023-4863 with a CVSS score of 8.8, is a critical heap buffer overflow in the WebP library. It enables Remote Code Execution (RCE) and affects three versions of Firefox and two Thunderbird releases. The vulnerability also impacts other browsers supporting this library, including Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. Google recently warned that the vulnerability had been exploited in the wild as a zero-day before being patched. WebP allows administrators and web developers to create smaller, more robust images to improve user experience. This article continues to discuss the WebP vulnerability affecting multiple browsers.

Dark Reading reports "Qatar Cyber Chiefs Warn on Mozilla RCE Bugs"

A regulation requiring organizations conducting business in China to notify the government of software vulnerabilities within 48 hours of discovery reflects the Chinese government's increasingly strategic view of security flaws. A new report published by the Atlantic Council highlights how companies are complying with China's "Regulations on the Management of Network Product Security Vulnerabilities" (RMSV) law, as well as the mandate's effect on the broader vulnerability disclosure landscape and China's offensive hacking capabilities. This article continues to discuss key findings and points from the Atlantic Council's report on the 2021 RMSV.

Decipher reports "The Emergence of Security Flaws as a 'National Resource' in China"

Since the release of ChatGPT to the public, the adoption of Artificial Intelligence (AI) and Machine learning (ML) systems has increased significantly. In order to gain a competitive advantage, companies are racing to adopt AI technology. However, they may be exposing themselves to cybercriminals. ML models that drive many AI applications are susceptible to attacks against data contained within AI systems and adversarial ML attacks. Adversarial ML involves providing malicious input to an ML model to cause it to generate inaccurate results or degrade its performance. This attack could occur during the training phase of the ML model, or it could be introduced later via input samples to trick a trained model. This article continues to discuss how ML models are trained, the different types of adversarial ML attacks, and how to combat such attacks.

Cybernews reports "AI Under Criminal Influence: Adversarial Machine Learning Explained"

According to a new report from New York University (NYU), the immersive Internet experience known as the metaverse will erode users' privacy unless significant measures are taken to improve and regulate how the technology collects and stores personal data. The metaverse relies on Extended Reality (XR) technologies, encompassing Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR). The report from NYU's Stern Center for Business and Human Rights warns that because the technology cannot function without collecting and processing personal and bodily data, it poses a significant privacy risk. According to the report, behavioral and psychological information about individuals can be deduced from bodily data alone. Conventional XR hardware includes sensors that continuously track at least three categories of user data: head movements, eye movements, and spatial maps of physical surroundings. The report argues that when compiled over time, these types of data can disclose "highly sensitive information" about users, such as their physical and mental health, which can be used for commercial or political gain. This article continues to discuss privacy threats posed by metaverse technology.

The Record reports "Metaverse Poses Serious Privacy Risks for Users, Report Warns"

The APT36 hacking group, also known as Transparent Tribe, has been using at least three YouTube-mimicking Android apps to infect devices with their signature Remote Access Trojan (RAT) called CapraRAT. Once the malware has been installed on a victim's device, it can extract data, record audio and video, and access sensitive communication information, functioning as a spyware tool. APT36 is a Pakistan-aligned threat actor notorious for using malicious Android apps to target Indian defense and government entities, those dealing with Kashmir region affairs, and human rights activists. The latest campaign was discovered by SentinelLabs, which warns military and diplomacy organizations in India and Pakistan to be cautious about YouTube Android apps hosted on third-party sites. This article continues to discuss the APT36 hacking group using Android apps that mimic YouTube to infect devices with CapraRAT.

Bleeping Computer reports "APT36 State Hackers Infect Android Devices Using YouTube App Clones"

Earth Lusca, a threat actor with ties to China, has been observed targeting government organizations with a new Linux backdoor called SprySOCKS. Trend Micro first documented Earth Lusca in January 2022, detailing the adversary's attacks against public and private sector entities in Asia, Australia, Europe, and North America. Since 2021, the group has used spear-phishing and watering hole attacks to execute its cyber espionage schemes. Some of the group's activities overlap with another threat cluster tracked by Recorded Future as RedHotel. New findings suggest that Earth Lusca remains an active group, expanding its operations to target organizations worldwide in the first half of 2023. Foreign affairs, technology, and telecommunications-related government departments are primary targets. This article continues to discuss the China-linked threat Earth Lusca targeting government entities using a new Linux backdoor called SprySOCKS.

THN reports "Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities"

Two Middle Eastern telecommunications organizations were recently compromised by a potentially novel threat actor using two backdoors with new methods for covertly loading malicious shellcode onto a target system. Cisco Talos dubbed the intrusion set "ShroudedSnooper" because it could not link the activity to previously identified groups. ShroudedSnooper uses two backdoors, "HTTPSnoop" and "PipeSnoop," with advanced anti-detection mechanisms, such as masquerading as popular software products and infecting low-level Windows server components. Once implanted, they execute shellcode to give cyberattackers a persistent foothold in victims' networks, allowing them to move laterally, exfiltrate data, or release additional malware. This article continues to discuss findings regarding the ShroudedSnooper set of backdoors.

Dark Reading reports "'ShroudedSnooper' Backdoors Use Ultra-Stealth in Mideast Telecom Attacks"

Clorox has recently admitted its operations are still experiencing significant disruption after the firm experienced a cyberattack a month ago. Clorox announced the attack on August 14, revealing it had observed unauthorized activity on some IT systems, which had to subsequently be taken offline while it remediated the incident. Although the company stated in an SEC filing yesterday that it "believes the unauthorized activity is contained," it warned of a significant impact to the business, as it was forced to revert to manual ordering and processing. Clorox admitted that it is operating at a lower rate of order processing and has recently begun to experience an elevated level of consumer product availability issues. Clorox noted that the attack had damaged portions of its IT infrastructure and caused "widescale disruption" to its operations. The company is repairing the infrastructure and is reintegrating the systems that were proactively taken offline. The company expects to begin the process of transitioning back to normal automated order processing the week of September 25. Clorox stated that it has already resumed production at the vast majority of its manufacturing sites and expects the ramp-up to full production to occur over time. However, at this time, the company cannot estimate how long it will take to resume fully normalized operations. Clorox is still working out the financial and business impact of the security breach, although it admitted that rising order processing delays and product outages mean that there will be a material impact on Q1 financial results.

Infosecurity reports: "Clorox Struggling to Recover From August Cyberattack"

There is a new approach to combating phishing attacks to improve online security, reduce cybercrime against individuals and businesses, and prevent attacks against governments. Computer security systems are continuously challenged by the emergence of increasingly sophisticated phishing attacks, which may also use social engineering and malware. T. Kalaichelvi of the Panimalar Engineering College in Chennai, India, and colleagues have proposed a new technique for threat modeling capable of identifying and eliminating vulnerabilities that make a computer system more vulnerable to phishing attacks. The team's method uses the STRIDE threat design methodology, a powerful tool with a 96.3 percent detection rate for phishing web addresses. Individuals and organizations can use this work to combat the phishing threat. This article continues to discuss the study on detecting phishing attempts in communications systems.

Inderscience reports "Unhooking Phishing Threats - The Detection of Phishing Attempts in Communications Systems"

The Federal Communications Commission (FCC) has proposed a cybersecurity labeling program to protect smart device users. The new initiative encompasses Internet of Things (IoT) devices such as Wi-Fi routers, digital personal assistants, home security cameras, GPS trackers, medical devices, and other Internet-connected appliances. Although the underlying problem is real and devices are often found to lack adequate cybersecurity, many, including one of the FCC's commissioners, consider the proposed solution lightweight. This article continues to discuss the effort to boost IoT security.

Cybernews reports "New Proposal Aims to Boost IoT Security With a Sticker"

The Microsoft-owned healthcare technology company Nuance has disclosed that the Clop extortion gang stole personal data on major North Carolina hospitals as part of the Progress MOVEit Transfer campaign. Companies use MOVEit Transfer to securely transmit files via SFTP, SCP, and HTTP-based uploads. Microsoft credits the Clop ransomware group, also known as Lace Tempest, with exploiting a zero-day vulnerability in the MOVEit Transfer platform, tracked as CVE-2023-34362. In June, the Clop ransomware group claimed to have compromised hundreds of businesses worldwide by exploiting the MOVEit Transfer flaw. The group's victims also include Microsoft's Nuance healthcare technology subsidiary. This article continues to discuss the Clop gang being behind a series of cyber thefts at major North Carolina hospitals.

Security Affairs reports "Clop Gang Stolen Data From Major North Carolina Hospitals"